Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SPAM/Mailman mystery

Discussion in 'E-mail Discussion' started by JanKrohn, Jan 31, 2019.

  1. JanKrohn

    JanKrohn Well-Known Member

    Joined:
    May 6, 2013
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Phnom Penh
    cPanel Access Level:
    Root Administrator
    I have set up Mailman to have all list members moderated (default_member_moderation), and just one email address to be allowed to post (accept_these_nonmembers). So I'm actually "misusing" Mailman to operate a newsletter instead a mailing list.

    Yesterday, with these settings, a spam message came through (one of the notorious bitcoin blackmail type) and was distributed to 3600 recipients. The sender address is not a list member. Therefore, it should not have been accepted by Mailman. (Mystery #1).

    Secondly, the spam score was 10.0. However, SpamAssassin is configured to delete messages over the threshold of 6.0. (Mystery #2).

    I would really like to prevent this from happening again, and fix the hole in the configuration. But I'm clueless how it happened in the first place.

    I do have the headers of the spam message after it has been distributed through Mailman, one from Naver, and one from outlook.com. They clearly show that the message came from somewhere outside (which is good; so my server is not compromised).

    Here the Outlook headers:

    - Removed Please review Guide To Opening An Effective Forums Thread -

    Any insights with the issue would be extremely welcome...
     
    #1 JanKrohn, Jan 31, 2019
    Last edited by a moderator: Jan 31, 2019
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    HI @JanKrohn

    Have you checked the exim logs for this email transaction? I feel like that would be the most useful bit in understanding how this came to occur. If you add them here just replace any identifying information.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. JanKrohn

    JanKrohn Well-Known Member

    Joined:
    May 6, 2013
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Phnom Penh
    cPanel Access Level:
    Root Administrator
    I had replaced my domain with mydomain.net, my server domain with myserver.com, the spammer domain with spammer.hr, my cPanel user with myuser, and the last two blocks of my IP address with xxx.xxx. So what's the problem?

    Thanks, very helpful. I just looked at my exim log for the first time ever! The whole incident has more than 11,000 lines of log. I'll just copy the first few lines until outbound delivery starts.

    Code:
    2019-01-31 00:19:30 1gp04n-0007q6-44 H=win2.example.com [213.147.xxx.xx]:2079 Warning: Message has been scanned: no virus or other harmful content was found
    2019-01-31 00:19:31 1gp04n-0007q6-44 H=win2.example.com [213.147.xxx.xx]:2079 Warning: "SpamAssassin as myuser detected message as spam (10.0)"
    2019-01-31 00:19:31 1gp04n-0007q6-44 <= [email protected] H=win2.example.com [213.147.xxx.xx]:2079 P=esmtp S=5098 [email protected] T="This account has been hacked! Change your password right now!" for [email protected]
    2019-01-31 00:19:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gp04n-0007q6-44
    2019-01-31 00:19:31 1gp04n-0007q6-44 => win-iso <[email protected]> R=mailman_virtual_router T=mailman_virtual_transport
    2019-01-31 00:19:31 1gp04n-0007q6-44 Completed
    2019-01-31 00:19:31 SMTP connection from win2.example.com [213.147.xxx.xx]:2079 closed by QUIT
    2019-01-31 00:19:32 SMTP connection from [::1]:60382 (TCP/IP connection count = 1)
    2019-01-31 00:19:32 SMTP connection identification H=localhost A=::1 P=60382 U=mailman ID=995 S=mailman B=identify_local_connection
    2019-01-31 00:19:32 1gp04q-0007vr-R2 H=(cvps173830114556.myserver.com) [::1]:60382 Warning: Message has been scanned: no virus or other harmful content was found
    2019-01-31 00:19:32 1gp04q-0007vr-R2 <= [email protected] H=(cvps173830114556.myserver.com) [::1]:60382 P=esmtp S=6055 [email protected] T="[win-iso] ***SPAM*** This account has been hacked! Change your\n password right now!" for <list of recipients... outbound distribution starting NOW!>
    
     
    #3 JanKrohn, Feb 4, 2019
    Last edited by a moderator: Feb 4, 2019
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @JanKrohn

    Congratulations on successfully utilizing the exim logs to troubleshoot an issue!

    Looking at this and at the moderated portion of your initial message I believe I have some further questions:

    1. If you go to cPanel>>Email>>Mailing lists under access what is the Access Status of the list you have?
    2. If you go from the mailing list UI above to -> Manage next to the mailing list then -> Privacy Options -> Sender Filters -> What is set for Action to take for postings from non-members for which no explicit action is defined.

    As far as why the initial post was moderated, we try not to include any domain names except for examples in posts, so the Hotmail/MS info is most likely why @Infopro moderated it, though he may have further reasoning for that as well.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,948
    Likes Received:
    485
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    There was just too much information in the email samples including text of the emails themselves, to leave on the forum.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. JanKrohn

    JanKrohn Well-Known Member

    Joined:
    May 6, 2013
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Phnom Penh
    cPanel Access Level:
    Root Administrator
    The same message was distributed over my mailing list a total of three times now. I've made some modifications in the configuration since then.


    All affected lists are public (as they should be, as they're open to all my visitors).

    That setting is "reject" for all of my lists, both before and after re-configuration.
    From the mail log I could see thousands of spamming attempts, but only these bitcoin scam mails are being ignored by the configuration.

    As a workaround, I have restricted the message size to 1 kB so that everything is moderated now, banned all non-members that were allowed to post, and configured pre-authorization for a few selected members. Seems to be working, but it's not a long-term solution.

    The spam score of 10.0 being ignored by the deletion threshold is another issue...
    (Auto-Delete is enabled. This will permanently delete all new email messages with a calculated spam score that meets or exceeds the Auto-Delete Threshold Score (6).)
     
  7. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @JanKrohn

    While I understand why you'd want them available to your users, you might rethink some of the settings for private/public:

    We can use my test server an example:


    For a public list the following are checked:

    Include this list in Mailman’s public advertisement of this server’s mailing lists.
    Require only email confirmation for new subscribers.

    That's entirely up to you though.

    This is because of the header forgery that's being done. I'm curious also if setting the following will stop it from occurring as well:

    That's intriguing, I tried to test this to see if my mail would also be accepted as if this is replicable it's worthy of an internal case but I was unable to do so. Please see below:
    Code:
    2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 Warning: "SpamAssassin as myuser detected message as spam (1002.7)"
    2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 Warning: Message has been scanned: no virus or other harmful content was found
    2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F=<[email protected]> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (80)."
    I sent this to an email list which I created for testing purposes and confirmed it doesn't get forwarded on to my users. Which version of cPanel are you using? The only differences I see are that

    1. I wasn't able to use something that would be potential header forgery
    2. We could be using different versions of cPanel - I tested on v78.0.6
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. JanKrohn

    JanKrohn Well-Known Member

    Joined:
    May 6, 2013
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Phnom Penh
    cPanel Access Level:
    Root Administrator
    I use the same settings.

    Interesting setting. Never noticed it before. It should be good to enable in any case.

    I'm still on v76. If it will be fixed on v78, then that's great. I was planning to upgrade anyway.
     
  9. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    I can't guarantee that, I just happened to have a 78 server to test on, I haven't tested this on 76 but I didn't have a server with a live domain available to test on (without doing local delivery)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. JanKrohn

    JanKrohn Well-Known Member

    Joined:
    May 6, 2013
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Phnom Penh
    cPanel Access Level:
    Root Administrator
    Thanks for your help so far. With all the configuration changes in place, I think it's now safe to wait and see what happens.
    If a spam mail from a non-member gets caught in moderation within the next month or so, then I'd appreciate help with further investigation.

    If not, then I think the matter is closed (and I will lift some of the moderation settings in my lists again).
     
    cPanelLauren likes this.
  11. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @JanKrohn

    Sounds great! Let us know though if it continues to occur.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice